Re: Updated Revocation Best Practices

Ryan - Thank you for the feedback. On Fri, Mar 15, 2019 at 6:14 PM Ryan Sleevi wrote: > While I realize the thinking is with regards to the recent serial number > issue, a few questions emerge: > > 1) Based on the software vendor reporting, they don’t view this as a > software defect, but a CA m

Re: CAA records on a CNAME

Corey Bonnell via dev-security-policy wrote: > If I recall correctly, there was some discussion in late 2017 in the > IETF LAMPS WG (the working group producing the successor to the > current CAA RFC 6844) Thanks for noting this. Sounds like that's the best group to continue the discussion in.

GRCA Incident: BR Compliance and Document Signing Certificates

In bug 1523221 [1], GRCA (Government of Taiwan) has responded to a misissuance report by stating that the certificates in question are not intended for serverAuth or emailProtection. However, our policy applies to certificates **capable** of being used for serverAuth or emailProtection, including t

Re: Pre-Incident report: PKIoverheid Serial Number Entropy

Thank you for this incident report. I have created https://bugzilla.mozilla.org/show_bug.cgi?id=1535871 to track this issue. - Wayne On Wed, Mar 13, 2019 at 9:56 AM Berge, J. van den (Jochem) - Logius via dev-security-policy wrote: > Hello MDSP, > > Logius PKIoverheid wants to report a potentia

Re: GRCA Incident: BR Compliance and Document Signing Certificates

I think answers to the following questions might be helpful: 1. What software / types of software are being utilized which would give compatibility issues? What is the validation logic of those applications / systems? 2. If these certificates don't have a purpose known to or respected by the W

Re: Pre-Incident Report - AT&T GlobalSign customer CA Serial Number Entropy

Thank you for the incident report. I have created https://bugzilla.mozilla.org/show_bug.cgi?id=1535873 to track this issue. - Wayne On Wed, Mar 13, 2019 at 1:35 PM Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > When the serial number issue was first disclo

Re: GRCA Incident: BR Compliance and Document Signing Certificates

While sending a message that non-compliance could result in policy change is generally a bad idea, I did notice something about the profile of the non-compliant certificate which gave me pause: None of the example certificates which were provided include a SAN extension at all. Today, no valid ce